Patent Grant
12086262
A container image is a standalone executable package of software that includes everything needed to run an application. A container image typically includes an application and one or more dependencies needed for the application to run, such as system tools, system libraries, and the like.
The examples disclosed herein implement a container build system that, prior to generating an application container image, verifies that any dependencies that will be included in the application container image do not contain any vulnerabilities.
In one implementation a method is provided. The method includes determining, by a container image builder executing on a computing device, that a first container image is to be built. The method further includes initiating, by the container image builder, a build container from a build container image. The method further includes identifying, by the build container, a first dependency to be incorporated into the first container image. The method further includes accessing, by the build container, vulnerability data that identifies a plurality of dependencies that have one or more vulnerabilities. The method further includes, based on the vulnerability data, determining that the first dependency is devoid of vulnerabilities and, in response to determining that the first dependency is devoid of vulnerabilities, generating the first container image to include the first dependency.
In another implementation a computer system is provided. The computer system includes one or more processor devices of one or more computing devices to determine, by a container image builder, that a first container image is to be built. The one or more processor devices are further to initiate, by the container image builder, a build container from a build container image. The one or more processor devices are further to identify, by the build container, a first dependency to be incorporated into the first container image. The one or more processor devices are further to access, by the build container, vulnerability data that identifies a plurality of dependencies that have one or more vulnerabilities. The one or more processor devices are further to, based on the vulnerability data, determine that the first dependency is devoid of vulnerabilities and, in response to determining that the first dependency is devoid of vulnerabilities, generate the first container image to include the first dependency.
In another implementation a non-transitory computer-readable storage medium is provided. The non-transitory computer-readable storage medium includes executable instructions to cause one or more processor devices of one or more computing devices to determine, by a container image builder, that a first container image is to be built. The instructions further cause the one or more processor devices to initiate, by the container image builder, a build container from a build container image. The instructions further cause the one or more processor devices to identify, by the build container, a first dependency to be incorporated into the first container image. The instructions further cause the one or more processor devices to access, by the build container, vulnerability data that identifies a plurality of dependencies that have one or more vulnerabilities. The instructions further cause the one or more processor devices to, based on the vulnerability data, determine that the first dependency is devoid of vulnerabilities and, in response to determining that the first dependency is devoid of vulnerabilities, generate the first container image to include the first dependency.
Individuals will appreciate the scope of the disclosure and realize additional aspects thereof after reading the following detailed description of the examples in association with the accompanying drawing figures.
The accompanying drawing figures incorporated in and forming a part of this specification illustrate several aspects of the disclosure and, together with the description, serve to explain the principles of the disclosure.
The examples set forth below represent the information to enable individuals to practice the examples and illustrate the best mode of practicing the examples. Upon reading the following description in light of the accompanying drawing figures, individuals will understand the concepts of the disclosure and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the disclosure and the accompanying claims.
Any flowcharts discussed herein are necessarily discussed in some sequence for purposes of illustration, but unless otherwise explicitly indicated, the examples are not limited to any particular sequence of steps. The use herein of ordinals in conjunction with an element is solely for distinguishing what might otherwise be similar or identical labels, such as “first message” and “second message,” and does not imply a priority, a type, an importance, or other attribute, unless otherwise stated herein. The term “about” used herein in conjunction with a numeric value means any value that is within a range of ten percent greater than or ten percent less than the numeric value. As used herein and in the claims, the articles “a” and “an” in reference to an element refers to “one or more” of the element unless otherwise explicitly specified. The word “or” as used herein and in the claims is inclusive unless contextually impossible. As an example, the recitation of A or B means A, or B, or both A and B.
A container image is a standalone executable package of software that includes everything needed to run an application. A container image typically includes an application and one or more dependencies needed for the application to run, such as system tools, system libraries, and the like.
Many dependencies in container images are executable files. Such dependencies may have known vulnerabilities that, if exploited, facilitate nefarious behavior if installed on a computing device. Vulnerability data exists that identifies known vulnerabilities in files, including executable files, that may be a dependency in a container image. An example of vulnerability data is the National Vulnerability Database which is frequently updated to identify newly discovered vulnerabilities.
Containerization technologies are increasingly popular due to the relatively reduced resource utilization compared to other virtualization technologies, such as virtual machines. A container image typically includes at least one executable file that provides a desired functionality, and a number of other files, referred to herein as dependencies, that are required for the executable file to properly execute, including, by way of non-limiting example, system libraries and system tools.
A container image is typically generated using a build file, such as a Dockerfile, that contains instructions that identify the contents of the desired container image, which may include, for example, an application executable and a plurality of dependencies. A build tool, such as Docker, accesses the Dockerfile and generates the container image to include the application executable and the dependencies. The container image may then be distributed to any number of other computing devices. Computing devices subsequently initiate runtime containers from the container image. If the dependencies contained any vulnerabilities, the computing systems may be susceptible to nefarious activities such as hacking, ransomware, or the like.
Container build systems exist, such as OpenShift's source to image system, that utilize a build container image to generate application container images. The build container image includes logic that, when executed as a container, generates an application container image that includes the desired components, such as an application executable and any required dependencies.
Such container build systems inherently rely on users of the container build system to ensure that dependencies do not contain vulnerabilities. Such reliance may be misplaced and the application container images generated by the container build system may inadvertently generate application container images that include dependencies that contain vulnerabilities.
The examples disclosed herein implement a container build image of a container build system, that, prior to generating an application container image, verifies that the dependencies that will be included in the application container image do not contain any vulnerabilities.
In some examples, the container build image not only verifies that dependencies do not contain known vulnerabilities but also inserts a vulnerability checker into the generated application container image. The container build image generates the application container image such that when a container is initiated from the application container image, the vulnerability checker is initially executed to verify that the dependencies in the container image do not contain any known vulnerabilities. In this manner, dependencies, which at container build time had no known vulnerabilities, may later be determined to contain a vulnerability at runtime, and prevented from execution.
A storage device 20 may include one or more application definition files 22-1-22-2 (generally, application definition files 22). While for purposes of illustration only two application definition files 22 are shown, in practice, the storage device 20 may include hundreds or thousands of application definition files 22. Each application definition file 22 may identify one or more application files, such as scripts, executables, source code files, or the like, and one or more dependencies, such as system tools, libraries, or other executable or data files needed for the application to properly execute in a container. In some examples, one or more of the application definition files 22 may comprise Maven™ Project Object Model (POM) XML files.
In this example, the application definition file 22-1 includes an application file reference 24 that identifies an application source code 26. The application definition file 22-1 also includes two dependency references 28-1, 28-2, which refer to dependencies 30-1, 30-2, respectively. The application definition file 22-2 includes an application file reference 32 that identifies an application source code file 34. The application definition file 22-2 also includes two dependency references 36-1, 36-2, which refer to dependencies 30-1, 30-3, respectively.
The storage device 20 may also include a vulnerability checking application 38 that is configured to access vulnerability data that identifies dependencies that have vulnerabilities.
The storage device 20 may include a plurality of build container images 40-1-40-N, each of which is configured to, when initiated as a container, cause the generation of a container image that includes an application and one or more dependencies. The storage device 20 includes a build tool 42 that is configured to determine whether any dependencies that will be part of a generated container image contain any vulnerabilities. In one implementation, the build tool 42 comprises the Maven™ build automation tool that has been modified to have a vulnerability extension 44 that carries out the functionality of determining whether any dependencies that will be part of a generated container image contain any vulnerabilities. The Maven™ build automation tool is a build tool for container images that utilize Java. The Maven™ build automation tool includes a feature that allows the development of custom “extensions” that the Maven™ build automation tool will execute at runtime of the Maven™ build automation tool. Thus, by modifying the Maven™ build automation tool to include the vulnerability extension 44, any subsequently created build container images 40 that are used to create container images that utilize Java will automatically incorporate the functionality of determining whether any dependencies that will be part of a generated container image contain any vulnerabilities by virtue of the modification of the build tool 42 to include the vulnerability extension 44. The build container image 40-1 includes the build tool 42 and vulnerability extension 44, and one or more dependencies 46. Table 1 illustrates example pseudocode for implementing the vulnerability extension 44 in the Maven™ build automation tool such that the vulnerability extension 44 becomes part of the Maven™ build lifecycle.
While solely for purposes of illustration and simplicity only one storage device 20 is shown, in practice, the various files discussed herein as being stored on the storage device 20 may be stored on any number of different storage devices.
With this background, an example of secure container image builds will be discussed. Assume that the container image builder 18 determines that a container image is to be built. The container image builder 18 may make this determination in any suitable manner. In one example, a user 48 may access a client computing device 50 and send, via the client computing device 50, a request to the container image builder 18 to build the container image. The request may include, for example, information identifying a location of application information regarding a first application to be included in the first container image. The information may be, for example, a folder or a file name. The application information may be a configuration file, or other data file, that identifies the application source code file and one or more dependencies. The information may comprise, for example, the name and location of the application definition file 22-1. In some implementations, the application information may be the actual application source code file and the one or more dependencies, or a folder in which the application source code file and the one or more dependencies are located. In response to the request, the container image builder 18 determines that the container image is to be built.
In another example, a request may be automatically generated in response to some event. For example, the user 48 may develop or modify an application source code file, and cause the application source code file to be stored in an application registry 52. In response to the application source code file being stored in the application registry 52, the application registry 52 may automatically generate and send a request to the container image builder 18 to build the container image. The request may include information identifying a location of application information regarding a first application to be included in the first container image. In response to the request, the container image builder 18 determines that the container image is to be built.
The container image builder 18 initiates a build container 54 from the build container image 40-1. In some examples, the container image builder 18 may utilize only the build container image 40-1 to generate container images. In other examples, the container image builder 18 may select a particular build container image 40 of the plurality of build container images 40-1-40-N based on some criteria. For example, the container image builder 18 may analyze an application file, such as the application definition file 22-1, or the application source code 26, and based on an attribute of the application file, select the build container image 40-1 from the plurality of build container images 40-1-40-N. In this example, the container image builder 18 may determine that the application file indicates that Java technology will be used by the application source code 26, and the container image builder 18 may utilize the build container image 40-1 for all container images that will include Java technology.
The build container 54 executes in the memory 16 and includes a build tool instance 42-I, which is a runtime instance of the build tool 42, and a vulnerability extension instance 44-I, which is a runtime instance of the vulnerability extension 44. The build container 54 identifies the dependencies 30-1 and 30-2 as dependencies that will be incorporated into the container image to be built. In this example, the build container 54 identifies the dependencies 30-1 and 30-2 by accessing the application definition file 22-1. In other implementations, the build container 54 may access a predetermined location, such as a predetermined folder, that will be used to store the dependencies for the container image to be built. It is noted that because the build tool 42-I and the vulnerability extension 44-I are components of the build container 54, functionality implemented by either the build tool 42-I and/or the vulnerability extension 44-I may be attributed herein generally to the build container 54. For example, the vulnerability extension 44-I may be the component of the build container 54 that identifies the dependencies 30-1 and 30-2 as dependencies that will be incorporated into the container image to be built.
The build container 54 accesses vulnerability data 56 that identifies a plurality of dependencies that have one or more vulnerabilities. The vulnerability data 56 may comprise any suitable source or sources of information that identify vulnerabilities in dependencies. In one example, the vulnerability data 56 comprises the National Vulnerability Database (NVD) that identifies security-related software flaws, misconfigurations, product names, security checklist references, and the like. In this example, the vulnerability data 56 comprises a plurality of entries 58-1-58-N, each of which identifies a particular dependency that has a vulnerability. Based on the vulnerability data 56, the build container 54 determines that the dependencies 30-1 and 30-2 are devoid of vulnerabilities. In response to this determination, the build container 54 generates a container image 60 that includes an application executable 62 and the dependencies 30-1, 30-2.
Vulnerabilities typically become known over time, and thus, a dependency that is not known to have a vulnerability at one time may subsequently by determined to have a vulnerability. In such situations, prior to knowledge of the vulnerability, the vulnerability of a dependency is not reflected in the vulnerability data 56, and thus the vulnerability extension 44-I may determine that a dependency is devoid of vulnerabilities and may store such dependency in any number of container images that are built by the build container 54. Subsequently, even if it is determined that the dependency does have one or more vulnerabilities, it may be impractical or impossible to determine the container images that the build container 54 has built using the dependency.
Accordingly, in this example, the build container 54 may automatically, even absent instruction or request, insert or cause to be inserted the vulnerability checking application 38 into container images that the build container 54 builds.
The vulnerability checking application 38 may comprise any suitable application that implements the functionality of checking dependencies for vulnerabilities, such as, by way of non-limiting example, Snyk (available at snyk.io) or any other vulnerability scanning tool. The build container 54 may also generate the container image such that, upon initiation of a container from the container image, the vulnerability checking application 38 is the first application that is initiated upon initiation of the container. In this example, the build container 54 has automatically inserted the vulnerability checking application 38 into the container image 60. Thus, upon initiation of a container from the container image 60, the vulnerability checking application 38 will execute and access vulnerability data to determine whether the dependencies 30-1 and 30-2, subsequent to the generation of the container image 60, were determined to contain vulnerabilities. If so, the container can take any suitable action, such as terminating the container and issuing an alert identifying the dependency 30-1 and/or 30-2 as having a vulnerability, pausing and providing an opportunity for a human, such as the user 48 or operator, to determine whether the container should continue to execute despite the vulnerability or terminate, or the like.
In some implementations, the build container images 40- 1-40-N may be stored in a location that prevents access from unauthorized individuals, such as, for example, the user 48, and thus users of the container image builder 18 have no ability to avoid or bypass the protections implemented by the vulnerability extension 44 during container image build time, and the vulnerability checking application 38 during container runtime.
It is noted that while, for purposes of illustration and simplicity, the examples are illustrated as being implemented by the single processor device 14 on the single computing device 12, in other environments, such as a distributed and/or clustered environment, the examples may be implemented on a computer system that includes a plurality of processor devices of a plurality of different computing devices, and functionality of the examples may be implemented on different processor devices of different computing devices. For example, the container image builder 18 may execute on one processor device of one computing device, and may initiate the build container 54 on another computing device that has another processor device set. Thus, irrespective of the implementation, the examples may be implemented on a computer system that includes one or more processor devices of one or more computing devices.
Moreover, because the container image builder 18 and the build container 54 are components of the computing device 12, functionality implemented by the container image builder 18 and the build container 54 may be attributed to the computing device 12 generally. Moreover, in examples where the container image builder 18 and the build container 54 comprise software instructions that program the processor device 14 to carry out functionality discussed herein, functionality implemented by the container image builder 18 and the build container 54 may be attributed herein to the processor device 14.
The build container 64 identifies the dependencies 30-1 and 30-3 as dependencies that will be incorporated into the container image to be built. In this example, the build container 64 identifies the dependencies 30-1 and 30-3 by accessing the application definition file 22-2. In other implementations, the build container 64 may access a predetermined location, such as a predetermined folder, that will be used to store the dependencies for the container image to be built.
The build container 64 accesses the vulnerability data 56 that identifies a plurality of dependencies that have one or more vulnerabilities. In this example, based on the entry 58-1 of the vulnerability data 56, the build container 64 determines that the dependency 30-3 contains a vulnerability. In response to determining that the dependency 30-3 contains a vulnerability, the build container 64 takes an action. The action taken may be system dependent, configuration dependent, or based on some characteristics of the vulnerability itself as indicated by the vulnerability data 56.
For example, the build container 64 may inhibit the generation of the container image. The build container 64 may also send an alert 66 to an operator or the user 48 that indicates that the container image will not be built and/or indicates that the dependency 30-3 contains a vulnerability.
As another example, the build container 64 may automatically determine whether there are other versions of the dependency 30-3, such as subsequent versions, that are compatible with the dependency 30-3 and that are devoid of vulnerabilities. In this example, the build container 64 determines that a dependency 30-4 is a backward compatible version of the dependency 30-3. The build container 64 accesses the vulnerability data 56 and determines that the dependency 30-4 is devoid of vulnerabilities. The build container 64 then automatically, without human involvement, generates a container image 68 that includes an application executable 70 based on an application source 72, the dependencies 30-1, 30-4, and the vulnerability checking application 38. In this manner, the build container 64 automatically replaces a version of a dependency that has known vulnerabilities with a dependency that has no known vulnerabilities, irrespective of the contents of the application definition file 22-2.
As another example, the build container 64 may send an alert to an operator or the user 48 indicating that the dependency 30-3 contains a vulnerability, and provide an opportunity for the recipient of the alert to provide an instruction to proceed or terminate. If the instruction is to proceed, the build container 64 may generate a new container image that includes the dependency 30-3, despite the dependency 30-3 containing a vulnerability.
The system bus 74 may be any of several types of bus structures that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and/or a local bus using any of a variety of commercially available bus architectures. The memory 16 may include non-volatile memory 76 (e.g., read-only memory (ROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), etc.), and volatile memory 78 (e.g., random-access memory (RAM)). A basic input/output system (BIOS) 80 may be stored in the non-volatile memory 76 and can include the basic routines that help to transfer information between elements within the computing device 12. The volatile memory 78 may also include a high-speed RAM, such as static RAM, for caching data.
The computing device 12 may further include or be coupled to a non-transitory computer-readable storage medium such as the storage device 20, which may comprise, for example, an internal or external hard disk drive (HDD) (e.g., enhanced integrated drive electronics (EIDE) or serial advanced technology attachment (SATA)), HDD (e.g., EIDE or SATA) for storage, flash memory, or the like.
A number of modules can be stored in the storage device 20 and in the volatile memory 78, including an operating system and one or more program modules, such as the container image builder 18 and the build container 54, which may implement the functionality described herein in whole or in part. All or a portion of the examples may be implemented as a computer program product 82 stored on a transitory or non-transitory computer-usable or computer-readable storage medium, such as the storage device 20, which includes complex programming instructions, such as complex computer-readable program code, to cause the processor device 14 to carry out the steps described herein. Thus, the computer-readable program code can comprise software instructions for implementing the functionality of the examples described herein when executed on the processor device 14. The processor device 14, in conjunction with the container image builder 18 and the build container 54 in the volatile memory 78, may serve as a controller, or control system, for the computing device 12 that is to implement the functionality described herein.
An operator may also be able to enter one or more configuration commands through a keyboard (not illustrated), a pointing device such as a mouse (not illustrated), or a touch-sensitive surface such as a display device. Such input devices may be connected to the processor device 14 through an input device interface 84 that is coupled to the system bus 74 but can be connected by other interfaces such as a parallel port, an Institute of Electrical and Electronic Engineers (IEEE) 1394 serial port, a Universal Serial Bus (USB) port, an IR interface, and the like. The computing device 12 may also include a communications interface 86 suitable for communicating with a network as appropriate or desired.
Individuals will recognize improvements and modifications to the preferred examples of the disclosure. All such improvements and modifications are considered within the scope of the concepts disclosed herein and the claims that follow.
| Number | Name | Date | Kind |
|---|---|---|---|
| 8813031 | Agarwal | Aug 2014 | B2 |
| 9355248 | Wiest et al. | May 2016 | B1 |
| 9436585 | Bak | Sep 2016 | B1 |
| 9766915 | Emelyanov | Sep 2017 | B1 |
| 9823915 | Maloney | Nov 2017 | B1 |
| 10235527 | Dalessio | Mar 2019 | B1 |
| 10379845 | Parees et al. | Aug 2019 | B2 |
| 10515005 | Burrell | Dec 2019 | B1 |
| 10635437 | Kunjuramanpillai | Apr 2020 | B1 |
| 10691810 | Freitag | Jun 2020 | B1 |
| 10693899 | Levin | Jun 2020 | B2 |
| 10817611 | Glynn | Oct 2020 | B1 |
| 11093221 | Novy | Aug 2021 | B1 |
| 11138314 | Gettys | Oct 2021 | B1 |
| 11200157 | Mathew | Dec 2021 | B1 |
| 11307839 | Vaddi | Apr 2022 | B2 |
| 11442765 | Zhang | Sep 2022 | B1 |
| 11487538 | Gove, Jr. | Nov 2022 | B1 |
| 11487878 | Zhang | Nov 2022 | B1 |
| 11531763 | Gupta | Dec 2022 | B1 |
| 11552979 | Soudhamma | Jan 2023 | B1 |
| 11595372 | Sharifi Mehr | Feb 2023 | B1 |
| 11762850 | Rupprecht | Sep 2023 | B2 |
| 11783047 | Hodgman | Oct 2023 | B1 |
| 11892418 | Featonby | Feb 2024 | B1 |
| 20100169968 | Shanbhogue | Jul 2010 | A1 |
| 20140115328 | Allen | Apr 2014 | A1 |
| 20140337824 | St. John | Nov 2014 | A1 |
| 20150082298 | Wang | Mar 2015 | A1 |
| 20150268948 | Plate | Sep 2015 | A1 |
| 20160381075 | Goyal | Dec 2016 | A1 |
| 20170109536 | Stopel | Apr 2017 | A1 |
| 20170116042 | Xu | Apr 2017 | A1 |
| 20170255544 | Plate | Sep 2017 | A1 |
| 20170315795 | Keller | Nov 2017 | A1 |
| 20170372072 | Baset | Dec 2017 | A1 |
| 20180025160 | Hwang | Jan 2018 | A1 |
| 20180032735 | Sheth | Feb 2018 | A1 |
| 20180046446 | Turovsky | Feb 2018 | A1 |
| 20180129479 | McPherson | May 2018 | A1 |
| 20180139238 | Schultz | May 2018 | A1 |
| 20180189089 | Chen | Jul 2018 | A1 |
| 20180285139 | Shapira | Oct 2018 | A1 |
| 20180285165 | Helsley | Oct 2018 | A1 |
| 20180285199 | Mitkar | Oct 2018 | A1 |
| 20180336351 | Jeffries | Nov 2018 | A1 |
| 20190005246 | Cherny | Jan 2019 | A1 |
| 20190026474 | Adam | Jan 2019 | A1 |
| 20190028490 | Chen | Jan 2019 | A1 |
| 20190042713 | Porcelli | Feb 2019 | A1 |
| 20190146772 | Griffin | May 2019 | A1 |
| 20190146816 | Reno | May 2019 | A1 |
| 20190163901 | Tien | May 2019 | A1 |
| 20190303579 | Reddy | Oct 2019 | A1 |
| 20190310935 | Shuster | Oct 2019 | A1 |
| 20190347121 | Luo | Nov 2019 | A1 |
| 20190347127 | Coady | Nov 2019 | A1 |
| 20190392045 | De Lima Junior | Dec 2019 | A1 |
| 20200110873 | Rosendahl | Apr 2020 | A1 |
| 20200125344 | Varghese | Apr 2020 | A1 |
| 20200125480 | Sathyamoorthy | Apr 2020 | A1 |
| 20200150940 | Li | May 2020 | A1 |
| 20200150974 | Li | May 2020 | A1 |
| 20200183670 | Kumar | Jun 2020 | A1 |
| 20200202006 | Shah | Jun 2020 | A1 |
| 20200226024 | Lin | Jul 2020 | A1 |
| 20200236093 | Bannister | Jul 2020 | A1 |
| 20200241867 | Gainsborough | Jul 2020 | A1 |
| 20200242254 | Velur | Jul 2020 | A1 |
| 20200272440 | Burgazzoli | Aug 2020 | A1 |
| 20200310775 | Nyamars | Oct 2020 | A1 |
| 20200320203 | Ting | Oct 2020 | A1 |
| 20200356681 | Sun | Nov 2020 | A1 |
| 20200359451 | Reno | Nov 2020 | A1 |
| 20200364072 | Raja Jayraman | Nov 2020 | A1 |
| 20200410106 | Nadgowda | Dec 2020 | A1 |
| 20200412769 | Yi | Dec 2020 | A1 |
| 20210019193 | Ffrench | Jan 2021 | A1 |
| 20210042217 | Hwang | Feb 2021 | A1 |
| 20210056209 | Fox | Feb 2021 | A1 |
| 20210103450 | Prasad | Apr 2021 | A1 |
| 20210126949 | Nadgowda | Apr 2021 | A1 |
| 20210141645 | Kramer | May 2021 | A1 |
| 20210141717 | Ananthapur Bache | May 2021 | A1 |
| 20210149685 | Reinders | May 2021 | A1 |
| 20210255846 | Mamgain | Aug 2021 | A1 |
| 20210271777 | Netsch | Sep 2021 | A1 |
| 20210281597 | Guiroux | Sep 2021 | A1 |
| 20210306304 | Hwang | Sep 2021 | A1 |
| 20220004643 | Sloane | Jan 2022 | A1 |
| 20220075760 | Wu | Mar 2022 | A1 |
| 20220083667 | Anwar | Mar 2022 | A1 |
| 20220116216 | Wolfson | Apr 2022 | A1 |
| 20220122016 | Krishnamoorthy | Apr 2022 | A1 |
| 20220147560 | Chen | May 2022 | A1 |
| 20220164170 | Benton | May 2022 | A1 |
| 20220222351 | Levin | Jul 2022 | A1 |
| 20220318395 | Janakiraman | Oct 2022 | A1 |
| 20220318396 | Deng | Oct 2022 | A1 |
| 20220366055 | Malvankar | Nov 2022 | A1 |
| 20220374218 | Monteiro Vieira | Nov 2022 | A1 |
| 20220398324 | Bosch | Dec 2022 | A1 |
| 20230004650 | Chapman | Jan 2023 | A1 |
| 20230025526 | Grzybek | Jan 2023 | A1 |
| 20230027810 | Pokorny | Jan 2023 | A1 |
| 20230061121 | Tosevska | Mar 2023 | A1 |
| 20230297348 | Wang | Sep 2023 | A1 |
| Entry |
|---|
| Author Unknown, “Chapter 2. Source-to-Image (S21), ” Red Hat, 2021, https://access.redhat.com/documentation/en-us/openshift_online/3/html/using_images/source-to-image-s2i , 32 pages. |
| Michas, N., “OWASP Vulnerability Checks With Maven,” ITNEXT, Mar. 24, 2020, https://itnext.io/owasp-dependency-check-maven-vulnerabilities-java-898a9cf99f5e, 7 pages. |
| Pashchenko, I. et al., “Vulnerable Open Source Dependencies: Counting Those That Matter,” ESEM '18: Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, Oct. 11-12, 2018, Oulu, Finland, Association for Computing Machinery, 11 pages. |
| Ponta, S. et al., “Detection, assessment and mitigation of vulnerabilities in open source dependencies, ” Empirical Software Engineering, vol. 25, Jun. 30, 2020, Springer, pp. 3175-3215. |
| Plate, H. et al., “Impact assessment for vulnerabilities in open-source software libraries,” arXiv:1504.04971v2 [cs.CR], Apr. 21, 2015, https://arxiv.org/pdf/1504.04971.pdf, 11 pages. |
| Vermeer, B., “Fixing vulnerabilities in Maven projects,” Synk, Sep. 14, 2020, https://snyk.io/blog/fixing-vulnerabilities-in-maven-projects/, 6 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20230036739 A1 | Feb 2023 | US |
